Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make the oidc-issuer configurator a CronJob to ensure correct JWKS for the in-cluster self-signed OIDC Issuer #2646

Open
kromanow94 opened this issue Mar 11, 2024 · 1 comment · May be fixed by #2667
Open

Make the oidc-issuer configurator a CronJob to ensure correct JWKS for the in-cluster self-signed OIDC Issuer #2646

kromanow94 opened this issue Mar 11, 2024 · 1 comment · May be fixed by #2667
Projects
Needs Triage

Comments

@kromanow94
Copy link
Contributor

Description

Currently the example kustomize for Kubeflow is using the setup for kind and vcluster which contains logic for configuring m2m tokens with the self-signed OIDC Issuer served in-cluster behind kubernetes api. This configuration logic depends on a K8s Job that will get the JWKS and embed it in RequestAuthentication called m2m-token-issuer.

This embedding of JWKS is volatile because of two points:

  • user can accidentally overwrite the RequestAuthentication rendering the setup not usable
  • the JWKS can change and this also has to be covered

The alternative is to embed the kubernetes CA in Istio container but this is even more tricky:

Todo

Change the Job to CronJob and make it run every 5 minutes.
@kubeflow-bot kubeflow-bot added this to To Do in Needs Triage Mar 11, 2024
@juliusvonkohout
Copy link
Member

@kromanow94 Yes that sound reasonable. Just make sure that the imagepullpolicy is ifnotpresent and the resource is only changed if needed. So kubectl apply instead of kubectl delete and create. The documentation must be updated as well.

@kromanow94 kromanow94 linked a pull request Apr 4, 2024 that will close this issue
Open
1 task
@juliusvonkohout juliusvonkohout mentioned this issue May 29, 2024
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Needs Triage
To Do
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make the kubeflow-m2m-oidc-configurator a CronJob kromanow94/kubeflow-manifests
2 participants
@kromanow94 @juliusvonkohout